Verified The UK's Digital Identity Dilemmas Benjamin Barnard Foreword by Matt Warman MP - Policy Exchange
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
Verified The UK’s Digital Identity Dilemmas Benjamin Barnard Foreword by Matt Warman MP
Verified The UK’s Digital Identity Dilemmas Benjamin Barnard Foreword by Matt Warman MP Policy Exchange is the UK’s leading think tank. We are an independent, non-partisan educational charity whose mission is to develop and promote new policy ideas that will deliver better public services, a stronger society and a more dynamic economy. Policy Exchange is committed to an evidence-based approach to policy development and retains copyright and full editorial control over all its written research. We work in partnership with academics and other experts and commission major studies involving thorough empirical research of alternative policy outcomes. We believe that the policy experience of other countries offers important lessons for government in the UK. We also believe that government has much to learn from business and the voluntary sector. Registered charity no: 1096300. Trustees Diana Berry, Alexander Downer, Pamela Dow, Andrew Feldman, David Harding, Patricia Hodgson, Greta Jones, Edward Lee, Charlotte Metcalf, David Ord, Roger Orf, Andrew Roberts, George Robinson, Robert Rosenkranz, William Salomon, Peter Wall, Simon Wolfson, Nigel Wright.
Verified
About the Author
Benjamin Barnard, Head of Technology Policy. Benjamin leads Policy
Exchange’s research into Technology and the Digital Economy. He joined
Policy Exchange in July 2019 after graduating from Christ Church, Oxford
with a First Class degree in History. He is the author of a number of reports
including ‘FinTech For All’ (exploring how FinTech can improve access
to financial services), ‘Daylight Robbery’ (detailing how to fight COVID-
related public sector fraud) and ‘Whitehall Reimagined’ (which included
recommendations to improve the use of technology and data across
Whitehall).
2 | policyexchange.org.ukAcknowledgements
Acknowledgements
The author of this report is thankful to all those who contributed to the
research or who contributed through meetings and informal discussions.
Specific thanks go to Will Heaven, Julia Mizen, Sophia Falkner, Gabriel
Elefteriu, Dom Walsh, Frank Joshi, Joseph Spear, Ruth Milligan and Ross
Kempsell for their input into this project. We would also like to thank
a number of officials at the Department for Digital, Culture, Media and
Sport, the Cabinet Office, the Government Digital Service and other Civil
Service departments who have been helpful in providing information and
responding to requests. Any errors remain the authors. Special thanks to
Jos Henson-Grič, who started this report and who’s contribution was
invaluable
© Policy Exchange 2020
Published by
Policy Exchange, 8 – 10 Great George Street, Westminster, London SW1P 3AE
www.policyexchange.org.uk
ISBN: 978-1-913459-41-3
policyexchange.org.uk | 3Verified
Contents
About the Author 2
Acknowledgements 3
Foreword 5
Executive Summary 7
Recommendations 12
Introduction 15
What is Digital Identity? 15
Why is digital ID vital to future UK prosperity? 16
A Crucial Juncture: The UK’s Digital Identity Dilemmas 17
How is this Report Structured? 18
Core Concepts 19
Traditional Identity Verification 19
Defining Digital Identity 20
‘Portable’ Digital Identities 25
Identity Verification Technology 27
Digital Identity in the Private Sector 31
Improving Know Your Customer (KYC) Procedures and Preventing
Fraud 31
Customer Onboarding in Financial Services 33
Legal Identifiers and Corporate Digital IDs 34
Opening Up the Economy: Digital Vaccination Certificates & Contact-
less ID transactions 35
Digital ID in the UK Public Sector 38
The context to digital ID in the UK 39
The Limitations to the Government’s Current Approach 47
The Next Steps in Digital ID 50
Recommendations 54
4 | policyexchange.org.ukContents
Foreword
Matt Warman MP
In these unprecedented times it has become more important than ever for
businesses and the public sector to adapt quickly and provide people with
services online. The need to prove who you are digitally has become a vital
part of everyday life for many people.
We are an unashamedly pro-tech government and I was pleased to
present, with Minister Lopez, the Government’s response to the digital
identity Call for Evidence in September. It was clear from all the responses
we received that there is a lively public interest in the potential for an
enabling framework of legislation, standards and oversight for digital
identity.
Businesses want to be able to innovate and individuals are keen to
quickly and easily access products and services relevant to them, confident
they are protected from fraud and that robust privacy protections are in
place. This new report from the Policy Exchange highlights the importance
of considering all those elements as the digital identity market develops,
and I welcome this timely contribution to the ongoing dialogue on digital
identity.
I am particularly glad that the report acknowledges our responsibility
as a society to ensure the digital transformation of our economy does
not leave behind those who would not naturally choose to use new
technologies. As our understanding of the possibilities of digital identity
tools and products grows, I am inspired by the opportunities to provide
solutions to the online problems regularly faced by some of the most
vulnerable in our society.
Done right, digital identity can support inclusion, increase data privacy
and control, and protect people from the increasing threat of cyber crime.
Our new National Data Strategy points to digital identity as a prime
example of the kind of data-driven innovation that can - at the most
practical level - spur on the digital transformation we are working towards
across the entire economy.
As this report illustrates, there is much that both the government and
the private sector can continue to build upon to create trust in digital
identities.
This government is committed to increasing online security, delivering
personalised services, increasing productivity and boosting the economy.
It is committed to developing a cross-government identity system focused
on user need. It is also committed to doing this without the need for ID
cards. We are working at pace to realise this ambitious vision and continue
to collaborate with industry and civil society groups to develop the next
policyexchange.org.uk | 5Verified
phase of the digital identity economy.
This report makes a helpful contribution to the public debate which is
vital as we work to create a secure, inclusive and fair framework that will
enable products and services fit for the digital age.
Matt Warman MP, Minister for Digital Infrastructure
6 | policyexchange.org.ukExecutive Summary
Executive Summary
The Importance of Identity
Every day we have to prove that we are who we say we are. When we buy
alcohol, open a bank account or apply to receive benefits or entitlements,
we have to produce physical documents (like passports, driving licences
or utility bills) that contain private information about ourselves in order to
prove our identity. Identity assurance is the first step in nearly all interactions
between the government and its citizens, or between businesses and their
customers.
Those without identity documentation will suffer from financial,
economic and social exclusion. One in five people in the UK lack an
“anchor” identity document, such as a passport or a driving licence.
Without proof of identity, citizens will struggle to access basic services
such as Universal Credit, will fail pre-employment checks (which require
proof of address and the right to work in the UK) and will be unable to
open a bank account, as Policy Exchange showed in FinTech For All (2020).
Identity proofing and verification is also vital in the prevention of,
and the fight against, fraud. Fraud costs the UK economy at least £193
billion each year, equating to more than £6,000 lost per second every day.
Moreover, as Policy Exchange demonstrated in Daylight Robbery (2020), the
methods that fraudsters use to impersonate others become more advanced
every year.
The Problem
As more services move online, customers and citizens now need to
make assertions about their identity both digitally and remotely. This
need has been highlighted by the COVID-19 crisis and the imposition
of Government-mandated social distancing measures, which forced
businesses and governments alike to complete identity checks digitally to
avoid unnecessary face-to-face contact or the potential transmission of the
virus via the handling of identity documents.
At present, proving one’s identity online can be cumbersome and
difficult. People often have to send scanned copies of their identity
documents to organisations on the blind trust that their personal
information will be stored securely and not misused, creating ‘honey pots’
of personal data for hackers. Moreover, customers have to manage hundreds
of online accounts and constantly resubmit the same personal data every
time they undertake an identity transaction, making it very difficult to
policyexchange.org.uk | 7Verified
track which organisations are in possession of their personal information.
Equally, even if people do submit accurate information about themselves,
in the absence of a face-to-face check it is very difficult to prove that they
are not fraudsters using personal information obtained from either cyber
attacks or from data breaches in order to masquerade as another individual
to gain unauthorised online access to goods, services or entitlements.
What is a Digital Identity?
Digital Identity schemes (or solutions) allow people to prove their
identities online. A digital identity is a collection of data belonging to a
legal entity which can be used as a digital representation of a unique person
or organisation. A digital identity provides a method of electronically
verifying that people are who they claim to be so that they can access
services. Most digital ID transactions are actually based, initially, on
physical documents or certificates, but, if you have a digital ID, you don’t
need to produce these documents to access online services. Such digital IDs
are secured using advanced cryptographic techniques. Digital IDs can limit
the amount of information that a user has to transfer to any organisation
which relies on their identity assertion by confirming or denying whether
that user meet the criteria rather than by transferring his or her personal
information (such as their exact date of birth).
For organisations to have a high level of assurance in a digital ID, the
data comprising a digital ID needs to be verified as accurate by trusted
parties. Unless the data comprising a digital ID is verified as accurate by
another party that is qualified to do so, then that digital ID cannot be
used to access services that are sensitive to abuse by fraudulent actors.
Once users have created ‘verified’ digital IDs, they can be used to access
multiple services from multiple different organisations. Digital ID services
that are designed with high user control allow citizens to control how
their personal data is shared and who has access to it.
The Context to Digital ID in the UK
The UK differs from many European countries because it lacks a
Government-mandated and centrally supported biometric ID card.
Such cards often provide the basis of national digital ID schemes and can
be used by citizens to access online services provided by both the public
and the private sectors. The UK Government has a long-standing political
commitment not to introduce biometric identity cards or establish a central
database of citizen attributes, following the repeal of the Identity Card Act
in 2011 (a decision taken in part on grounds of civil liberties). This is a
unique foundational difference to other countries, such as Estonia, that have
launched national digital identity programmes, many of which involve
citizen biometrics. This report does not call for mandatory biometric ID
cards supported by a centralised register of UK citizen attributes. Instead,
it explores how to improve identity verification in the public and private
sector.
8 | policyexchange.org.ukExecutive Summary
Digital Identity in the Private Sector
The lack of reliable digital ID services is a severe limitation to the
UK’s digital infrastructure. At present, the UK is one of the world’s
leading digital economies. This progress will be hampered unless there
are secure and reliable ways to prove one’s identity when accessing goods
and services online. To prevent fraud and to comply with regulations,
businesses providing services online have to perform expensive, and
often unreliable, checks on the information that their customers provide.
Creating a viable digital ID ecosystem can help to prevent fraud across
both the public and private sectors, as well as reducing administrative
costs for businesses. Furthermore, digital vaccine certificates, stored in
a decentralised way on users’ phones and not on a central server, could
possibly help to open up the economy once reliable COVID vaccinations
are developed and widely available.
In the UK, the market for digital identity services is fragmented. The
UK Government has a vital role to play in setting the regulatory standards
and liabilities for digital ID services in the private sector. Likewise, the
Government also has access to large data assets that could be used to verify
the identities of those trying to access services provided by the private
sector; it has a duty to protect consumers and offer them confidence in
using digital identities. It must support the creation of a fully-functioning
digital identity marketplace across both the public and private sectors, and
one which which is recognized in the EU and internationally.
Digital Identity and Public Services
As more government services have moved online, Government
Departments need to complete identity checks remotely and digitally.
There are a number of public sector identity management systems. Every
UK Citizen has an NHS number and can use NHS Login to access multiple
digital health and social care services. Similarly, Government Gateway (run
by HMRC) allows citizens to access over 120 Government services. The
UK Government launched a common identity assurance platform called
GOV.UK Verify in 2016 after a number of years in development. It was
originally intended to replace Government Gateway and was launched
with the aim of preventing multiple Government Departments from
pursuing separate and siloed approaches to identity assurance, with the
intention of reducing inefficiency and costs for taxpayers.
The Lessons Learnt from GOV.UK Verify
To avoid the creation of a government-held central register of UK
citizen attributes, GOV.UK Verify took a ‘federated’ approach to
digital ID. It outsourced the problems of verifying identity to a set of
private companies or identity providers, known as ‘certified companies’,
who each had to undergo checks to ensure that they could be trusted to
keep user data secure. In order to create a Verify account, citizens choose
to register with one of the certified companies and provide them with
personal information which the companies then check against a variety
policyexchange.org.uk | 9Verified
of different records. Once these checks are completed, you can use your
Verify account to access Government services online such as to receive
benefits (the Department of Work and Pensions was its largest customer)
or to pay tax bills. In addition to providing identity assurance for the
UK Government, GOV.UK Verify was also intended to create a market
for digital IDs in the UK by encouraging citizens to create digital IDs
which could then be reused in the private sector. GOV.UK Verify aimed
to preserve user privacy by ensuring that the certified companies could
not see which Government services their users were accessing and by
preventing Government departments from seeing unnecessary personal
information.
GOV.UK Verify has missed its targets. In 2019, both the National
Audit Office and the Infrastructure and Projects Authority recommended
that the Government terminate the project. The Government was supposed
to stop funding the system (which has cost over £175m already) in April
2020 but, due to the surge in numbers of people claiming Universal
Credit at the start of the COVID-19 crisis, HM Treasury agreed to provide
GOV.UK Verify with public funds for a further 18 months, reportedly on
the condition that the Government Digital Service (GDS) should not add
any further Government services to the Verify roster. It also stipulated
that GDS create alternative identity verification tools for services solely
reliant on Verify. Furthermore, the Department for Work and Pensions has
launched its own identity verification platform (Confirm Your Identity)
and HMRC’s Government Gateway was used to sign up Universal Credit
claimants due to the strain on GOV.UK Verify during the COVID-19 crisis.
GOV.UK Verify struggled because it was launched before other
Government Departments had promised to participate in the scheme.
Moreover, its ‘closed’ commercial framework limited the number of
third parties who could act as certified companies. Furthermore, the UK
Government missed key opportunities to sign up others to the scheme,
for which ministerial accountability was unclear. From the outset, it
struggled to balance ease of access (ensuring that users managed to verify
their identity in a quick and frictionless way) with the completion of the
necessary and important tests that are required to prevent fraud. This
resulted in poor user experience. It also did not make sufficient use of
Government data sources during the identity proofing and verification
process, which may have made it more difficult for certain demographics
with weak digital footprints (known as “thin file” users) to sign up. This
was a particular problem because the DWP was its largest customers and
Universal Credit claimants were more likely than others to be “thin file”
users.
10 | policyexchange.org.ukExecutive Summary
The Future of Digital ID and Public Services
The UK Government needs to confront a number of separate, but
related, dilemmas:
• How to develop a reliable public sector identity model: Unless
the UK Government develops reliable identity solutions across
Whitehall, there will always be a bottleneck on the development
of the UK public sector’s digital ambitions and a limited number
of transactions between the Government and its citizens that can
be completed online. Nonetheless, it must complete identity
transactions in such a way that preserves the civil liberties and
privacy of its citizens, a necessity that often generates controversy
given the centrality of biometric data to many digital ID solutions
in the private sector. The Government must determine the role of
third parties in providing identity assurance for the Government
and work out how to develop a secure and user-centric model of
digital identity that puts individuals in control of their data.
• ‘Siloes’ or ‘Platforms:’ The UK Government must determine
whether it is possible to pursue a coordinated approach to digital
ID across Whitehall, or whether it is instead preferable to encourage
Government Departments to pursue individual (siloed) but
tailored approaches to identity, in turn creating a suite of different
identity solutions for different public services. Although there are
clear advantages to developing a common approach, to do so will
require political leadership and technical expertise to ensure that
user experience is not compromised and that user needs are met.
policyexchange.org.uk | 11Verified
Recommendations
• Preserve traditional methods of identity checks. Although this
report aims to demonstrate the benefits of digital identity both
as a way of preserving user privacy and of enabling better access
to public services, there are many individuals who either lack the
skills or resources to access services online or who may always feel
uncomfortable creating and using a digital ID. Although there has
been progress in addressing the digital divide in recent years, the
Government should acknowledge this fact and ensure that there is
never a situation in which having a digital ID is mandatory or that
certain public services are only accessible through the creation and
use of a digital identity. To do so will assuage any public concerns
about digital ID policy and will also ensure that public services
remain accessible to all.
• Create a dedicated ministerial portfolio for digital identity.
Although the Government has announced the creation of a new
Digital Identity Strategy Board, a dedicated minister for Digital
Identity would ensure democratic accountability for Government
identity policy.
• Publish a 10-year Digital ID Strategy. Such a strategy must clarify
the future of GOV.UK Verify. It must also explore how biometrics
are used in the wider private sector and set out how to protect
consumers and their data in order to ensure that they are confident
in using digital identities. It should also set out the long-term role
of accredited third-party identity providers in the public sector.
If third parties (such as banks) are to play a role in providing
identification services to the Government, the strategy should
explore how to establish a trust mark for digital identity products
and the processes by which those trust marks are assessed.
• The Department of Work and Pensions should continue to
accelerate the launch of The Confirm Your Identity (CYI)
service, which helps Universal Credit claimants prove their
identity online during the application process. The creation
of a tailor-made identity solution for the DWP should be
encouraged because those reliant on welfare are more likely to
lack ID documentation. Nonetheless, there are clear advantages to
developing cross-departmental identity solutions and there is a risk
that every department will develop separate and siloed approaches
to identity assurance, leading to increased costs for taxpayers. The
development of a reliable cross-departmental identity solution that
12 | policyexchange.org.ukRecommendations
is easy for citizens to use should be a key priority for Government.
• Commence feasibility assessment for digital vaccination
certification. Once, and if, a vaccine for COVID-19 is developed,
evidence that a citizen has received the immunisation through the
official UK programme could be linked to a verified vaccination
certificate, secured and stored in a decentralised and privacy-
enhancing way on a user’s phone. Although the Government is
yet to outline its broader approach to vaccination, individuals
could possibly use these verified vaccination certificates to gain
access to a limited number of settings where the risk of infection
is higher (such as a nightclub, for example) so as to ensure that
the vulnerable are not exposed to the virus. The complexities and
trade-offs associated with delivering such a scheme would be
significant, including mitigating the risk of vaccine fraud. Scoping,
consultation and feasibility assessment must, therefore, commence
now.
• Remove legislative barriers that prevent businesses from
completing contactless identity transactions. The UK
Government should amend legislation (such as the Licensing Act
2003) that mandates private sector companies to check physical
documents, so as to remove barriers to the use of digital identities.
This will enable users to use digital IDs stored on their phones to
prove their identity and prevent the risk of transmission of COVID
through the handling of identity documents.
• The Government should extend the scope of the Document
Checking Service Pilot Scheme to include driving licences
and increase participation in the scheme. The Document
Checking Service checks passport details against the HM
Passport Office (HMPO) database. It provides a simple ‘yes’ or
‘no’ response to say whether a passport is valid without giving
direct access to government-held data. The Government recently
announced that they would be extending the DCS Pilot Scheme.
In future, the number of private sector participants should be
expanded dramatically, especially to include small and medium-
sized enterprises (SMEs) and emerging FinTech companies.
Furthermore, at present it is only possible to check passport data
against HM Passport Office data. The service should be extended
to check other identity documents including driving licenses.
• Use the National Data Strategy to identify additional
Government data sources that could be used to support
identity proofing and verification processes. To verify a person’s
identity, companies need to refer to a combination of official
and commercially available data sources. This often happens by
drawing upon data from Credit Reference Agency (CRA) files. The
digital availability of Government registers (both to Government
Departments and to private sector organisations) would support
identity and eligibility checking. It could help to eliminate “thin
policyexchange.org.uk | 13Verified
file” consumers who may struggle to access online services simply
because they have weak financial or digital footprints. Like the
document checking service, such data should be provided without
giving direct access to government-held data.
• Establish the regulatory requirements of the digital ID
ecosystem. Issues of liability will arise whenever a party suffers
a financial loss as a result of a mistake made during the identity
transaction process. The Government should establish regulations
that stipulate who is liable for fraudulent use of a digital identity.
• Establish more nuanced Digital ID standards across the public
sector. It is a complex challenge to find the balance between ease
of access to services and the high levels of assurance that are often
required to prevent fraudsters. The Government should establish
more nuanced standards so that checks are not too rigorous and
that there is not an abrupt cliff-edge between different levels of
authentication that unnecessarily prevents people from gaining
access to services.
• Establish a Digital Business Identity programme. This would
could help to improve companies’ access to government business
support measures and make it easier to bid for Government
contracts. It would also support those applying for grant funds and
R&D Tax Credits.
14 | policyexchange.org.ukIntroduction
Introduction
What is Digital Identity?
Every day we have to prove that we are who we say we are. When we
buy alcohol, open a bank account, receive benefits or go through border
controls, we have to produce physical documents (like passports, driving
licences or utility bills) that contain private information about ourselves.1
These documents can provide information including our age, our address,
our nationality or for how long we have been resident in the UK. Even
when we access services online, it is often still necessary to scan pictures
of these physical identity documents, send them via post to Government
agencies or business or go, in person, to be identified.
Digital IDs allow people to prove their identities online, without
recourse to physical documents or artefacts. Put simply, a “digital
identity” is a set of different pieces of information which can be used to
identify a defined subject online (in this instance a person, but the same
can be true of other legal entities such as businesses).2 For example, by
using a digital identity, somebody would be able to open a bank account
without sending the bank a scan of their passport and their utilities bill
to their bank. Most digital ID transactions are actually based, initially,
on physical documents, but, if you have a digital ID, you don’t need to
produce these documents every time you complete a transaction.
What is a Digital Identity?
• A digital identity is a collection of data belonging to a claimed
identity, usually verified by trusted parties, which can be used as
a digital representation of a unique person or organisation.3 The
1. GOV.UK, Proof of Identity Checklist, Updated
main role of a digital ID is authentication: to verify whether an 10 March 2014,
entity is who (or what) they (or it) is believed to be and whether
https://www.gov.uk/government/
they are worthy of trust. publications/proof-of-identity-checklist/
proof-of-identity-checklist#proof-of-
identity-checklist-for-individuals
• The UK Government defines a digital identity as “a trusted way of
2. TechUK, The Case for Digital IDs, 4 Feb 2019,
proving one or more attributes about themselves online or offline https://www.techuk.org/images/docu-
and linking those attributes to that same person as a uniquely ments/digital_id_FINAL_WEBSITE.pdf
identifiable individual.”4 3. OIX, Establishing a Trusted Interopera-
ble Digital Identity Ecosystem in the UK:
White Paper, October 2019, https://
openidentityexchange.org/wp-content/
uploads/2019/10/Establishing-a-Trust-
ed-Interoperable-Digital-Identity-Ecosys-
tem-in-the-UK-White-Paper-Oct-2019.pdf
4. DCMS and Cabinet Office, Digital Identity:
Call for Evidence, July 2019, https://assets.
publishing.service.gov.uk/government/up-
loads/system/uploads/attachment_data/
file/818801/Digital_Identity_-_Call_for_Ev-
idence.pdf
policyexchange.org.uk | 15Verified
When accessing services online (provided by either the public or
private sector), it is very often necessary to prove that you are eligible.
New technologies allow individuals and organisations to:
• Remotely verify original documents and extract data from them,
• Verify only selected data from documents (e.g. a name or age)
rather than sharing all the included data,
• Perform binary verification checks of personal data without
revealing personal details (for example, confirming whether
somebody was over the age of 18, rather than revealing their date
of birth)
• Control who has access to their personal information, provide
greater transparency over who has access to that data and limit the
amount of information being shared.
Why is digital ID vital to future UK prosperity?
Digital IDs are essential to the development of the digital economy.
Any advanced economy (particularly one in which financial transactions
are conducted digitally and vital services are accessed online) needs
trustworthy and secure methods to provide businesses and citizens
with the trust that they are dealing with real entities. That is why it is
estimated that, by 2030, digital ID could create economic value equivalent
to 6 percent of GDP in emerging economies and 3 percent in mature
economies (on a per country basis).5 By 2022, an estimated 60% of world
GDP will be digitized, meaning that digital ID will be an essential tool in
verifying the identities of parties involved in financial transactions and
preventing fraud.6
The outbreak of COVID-19 has demonstrated the importance of
digital ID. Government-mandated social distancing and the shift towards
online services has demonstrated the urgent need for digital methods of
proving one’s identity. Indeed, the COVID-19 outbreak has meant that
essential services, particularly those provided by the Government, that
were previously administered face-to-face have had to be moved online.
Ensuring that services are easily accessible to citizens whilst also ensuring
5. McKinsey Global Institute, Digital Identi- that sufficient identity checks are completed in order to prevent fraudulent
fication, A Key to Inclusive Growth, April
2019, https://www.mckinsey.com/~/me- activity and unauthorised access to those services has been a complex
dia/McKinsey/Business%20Functions/
McKinsey%20Digital/Our%20Insights/ challenge for Governments and businesses in the UK and abroad.7
Digital%20identification%20A%20key%20
to%20inclusive%20growth/MGI-Digi-
Industries, such as banking, which traditionally relied upon physical IDs
tal-identification-Report.ashx to authenticate customers and employees have had to undergo a radical
6. TechUK, ”FATF issues Guidelines on Digital
ID”, 7 April 2020, https://www.techuk.org/
transformation to adapt to the conditions that COVID-19 has imposed on
insights/news/item/17246-faft-issues- our lives to provide secure online services for their customers.8
guidelines-on-digital-id
7. TechUK Event, Now More than Ever, 21 May
2020, https://www.techuk.org/insights/
meeting-notes/item/17657-digital-identity-
now-more-than-ever
8. Planet FinTech, Digital Identity Verification ‘on
the rise’ amid Coronavirus, https://www.plan-
et-fintech.com/Digital-Identity-Verifica-
tion-on-the-rise-amid-Coronavirus_a1395.
html
16 | policyexchange.org.ukIntroduction
eIDAS
• eIDAS establishes mutual recognition of identity standards and
provides a mechanism for permitting and forcing acceptance
of eIDs authorised by one EU member state in all other member
states.9
Digital IDs have a number of potential benefits. Although this paper
will focus primarily upon the process of proving one’s identity online,
in addition to preventing cyber-crime and identity fraud, digital identity
could also improve a range of private and public sector activities in the
long-term (like credit rating or DRB checking) that rely on accurately
linking individuals with information about them.1011 Digital identity could
support a variety of different groups in the long-term:
• Consumers: increased security for, and control over, their personal
data.
• Government: providing the tools for Government to engage with
its citizens more efficiently and prevent fraud without greater
encroachment on civil liberties.
• Businesses: a reduction in losses to fraud and the costs associated
with regulatory compliance.
• Society: better and more efficient public services that deliver better
value for money.
Other legal entities (such as corporations and trusts) also have to make
10. Due to scope, this report will exclude digital
assertions about their identity. Business to business (B2B) transactions ID in immigration and healthcare.
depend upon the trust between parties. Moreover, many organisations 11. Seon, “Digital ID Profiling and The Future of
Credit Scoring”, 12 March 2019, https://seon.
need not only to let different employees access different internal services io/resources/digital-id-profiling-and-the-fu-
ture-of-credit-scoring/
based on their attributes, but employees often need a mechanism to prove 12. Government Digital Service, Guidance,
that they are, in fact, a representative of a legal organisation and that they “GOV.UK Verify”, 18 June 2020, https://
www.gov.uk/government/publications/
have the authority to approve a commercial transaction or act on behalf of i n t r o d u c i n g - g o v u k - v e r i f y/ i n t r o d u c -
the company. ing-govuk-verify; HMRC, Corporate Report,
“HMRC Government Gateway Transfor-
mation Programme: Accounting Officer
A Crucial Juncture: The UK’s Digital Identity Dilemmas
assessment summary”, https://www.gov.uk/
government/publications/accounting-of-
ficer-assessment-summary-for-the-govern-
The UK Government is at a crucial juncture when it comes to digital ment-gateway-transformation-programme/
identity. Unlike many other countries, the UK Government does not have hmrc-government-gateway-transforma-
tion-programme-accounting-officer-assess-
a state-issued biometric ID card upon which a public sector digital ID ment-summary
scheme could be based. Instead, there are a range of digital ID solutions 13. Hansard, 18th May 2011, https://hansard.
parliament.uk/Commons/2011-05-18/
across Whitehall, including HMRC’s Government Gateway and GOV. debates/11051863000014/IdentityAssur-
UK Verify.12 Indeed, GOV.UK Verify was launched with the intention of ance
14. ComputerWeekly, HM Treasury tells GDS:
providing a single platform for all online identity transactions between the No further online services can use Gov.uk
Government and its citizens, as well as to establish a digital ID market in Verify, 7 May 2020, https://www.com-
p u t e r w e e k l y. c o m /n e w s / 2 5 2 4 8 2 8 2 8 /
the UK. 13 In May 2020, it was announced that GOV.UK Verify would be HM-Treasury-tells-GDS-no-further-on-
line-services-can-use-Govuk-Verify?_
prohibited from adding additional services to its roster.14 ga=2.34113895.758846749.1591016742-
466382040.1591015386
9. Regulation (EU) No 910/2014 of The Euro-
pean Parliament And Of The Council of 23
July 2014
http://eur-lex.europa.eu/legal-content/EN/TXT/
PDF/?uri=CELEX:32014R0910&from=EN
policyexchange.org.uk | 17Verified
GOV.UK Verify
• GOV.UK Verify allows citizens to prove their identities online when
accessing Government Services. It operates without a central
government database of citizen attributes and works with certified
companies, known as identity providers (IDPs), to prove users’
identities.
• In order to create a Verify account you have to provide some
personal information which is then checked against a variety of
different records. Once these have been checked, you can use
Verify to access Government services online such as the receipt of
benefits or to pay tax bills.
The reported decision to discontinue GOV.UK Verify means that the
UK Government is at a crossroads when it comes to identity policy. It
needs to resolve the following questions:
• Digital ID in the Private Sector: What role should the UK
Government play in regulating and supporting the UK digital
ID market? What safeguards are necessary to protect citizens’
information? Should private sector companies check government
data sources for ID verification purposes to prevent fraud?
• Digital ID in the Public Sector: Multiple Government departments
and agencies need to verify the identities of their citizens. Does
the UK Government need to create a cross-departmental identity
verification platform and, if so, what form should that take?
What role should third party identity providers play in providing
access to services provided by the public sector? How can the
UK Government create identity assurance services that limit user
friction and encourage ease of access whilst also ensuring that
there are sufficient checks to prevent fraud?
How is this Report Structured?
This report is divided into three parts:
• Core Concepts. This part explains the theoretical model of how a
digital ID service based on mutual standards and trust works, as
well as the technology that enables it.
• Digital ID in the Private Sector: This section aims to show
how digital IDs can support a range of public and private sector
activities.
• Digital ID in the Public Sector. This part explores the state of the
digital identity ecosystem in the United Kingdom. It explores the
decisions that led to the creation of GOV.UK Verify and evaluates
the performance of the programme.
Future UK prosperity is at risk unless it develops a viable digital ID
ecosystem. The UK has historically been a world-leader when it comes to
15. The Fletcher School, Tufts University, Digital technological innovations.15 Unless it acts now to facilitate the development
Evolution Index, 12 July 2017,
of a digital identity market, it risks falling behind in this crucial digital
https://sites.tufts.edu/digitalplanet/digital-
evolution-index-the-uk-is-among-the- frontier.
handful-of-digital-elite-countries-and-
leader-of-europe-telecoms-tech-news/
18 | policyexchange.org.ukCore Concepts
Core Concepts
An Introduction to Digital ID
This chapter aims to explain the core concepts behind digital identity.
It is divided into four sections. These are:
1. Traditional Identity Verification
2. Defining Digital Identity
3. Standards and Trust
4. Identity Verification Technology
Traditional Identity Verification
In the United Kingdom, citizens use a range of physical documentation
to prove their identity. Issued by a range of different Government
Departments and organisations, both the Government and private
businesses use these documents to check the identities of their citizens and
customers (respectively).16 They do so to check that they are eligible to
receive entitlements, to comply with regulations (such as age restrictions
or anti-money laundering measures) and to mitigate the risk of fraud.17
All of these documents contain different pieces of personal information,
which can be used to prove our identity.18 These forms of identity include,
but are not limited to:
• Bank statements
• Birth certificates
• Driving Licences
• National Insurance Numbers
• Passports
• Residence permits
16. Cabinet Office & Department of Culture, Me-
• Tenancy agreements dia and Sport, Identity proofing and verification
of an individual, 17 December 2019, https://
• Tax documents – such as P45s and P60s www.gov.uk/government/publications/
• Utility bills identity-proofing-and-verification-of-an-in-
dividual/identity-proofing-and-verifica-
tion-of-an-individual
Traditionally, these documents have been checked manually. Checks 17. FinTech Futures, The Future of Client On-
boarding, 24 September 2019, https://
are undertaken to determine whether people are presenting fake IDs and, www.fintechfutures.com/2018/09/the-fu-
ture-of-client-onboarding/
if the ID is legitimate, that it doesn’t belong to somebody else. This process 18. The Money Laundering and Terrorist Financ-
can be time-consuming, inconvenient and expensive for businesses. ing (Amendment) Regulations 2019, http://
www.legislation.gov.uk/uksi/2019/1511/
Moreover, without specialist tools, it is often difficult to detect fraudulent contents/made,
documents. Those without any identity documentation whatsoever will CIMA Global, https://www.
cimaglobal.com/Global/UK/AML%20
statutory%20instruments.pdf,
policyexchange.org.uk | 19Verified
struggle to access essential Government services and will not be able to
open a bank account.19
ID Documents and Social Exclusion
Lack of ID is a key driver of financial and social exclusion. Many
individuals (known as ‘thin file’ individuals) may be denied access to
essential services:
• Those who lack proof of their identity are unable to open bank
accounts and will struggle to access Government entitlements and
benefits, such as Universal Credit. As Policy Exchange pointed out
in FinTech for All, those who are unable financial services will suffer
from severe social exclusion.20
• They are also likely to fail pre-employment checks, which require
proof of address and the right to work in the UK to be confirmed.21
Many in the UK, and globally, lack ID documents:
• One in five of the UK population has no root anchor document,
such as a passport or driving licence.22
19. Policy Exchange, FinTech for All, January • 1 billion people globally are recognised to lack any form of digital
2020, https://policyexchange.org.uk/publi-
cation/fintech-for-all/
ID.23
24. Virginia Tech, “The Next Domino to Fall: Em-
pirical Analysis of User Passwords across
Online Services”, https://people.cs.vt.edu/
gangwang/pass.pdf Defining Digital Identity
25. Security Magazine, Average Business As more and more services move online, it is now necessary to
User Has 191 Passwords, 6 November
2019, https://www.securitymagazine. prove your identity digitally and remotely. Individuals often have to
com/gdpr-policy?url=https%3A%2F%2F-
w w w. s e c u r i t y m a g a z i n e . c o m % 2 F a r t i -
create multiple accounts with different organisations to create a unique
cles%2F88475-average-business-us- credential (often, a username and password) for every online service
er-has-191-passwords
26. As you can provide a false name and other
they access to prove that they are who they say they are.24 The average
information on sign-up, such accounts are person manages in excess of 191 pairs of usernames and passwords.25
“unverified” digital identities. As a result,
without further checks, they can’t be used Not only is this unmanageable and insecure, but it also places a great
to access vital public services or be used to
complete transactions where there is a high burden on organisations to verify their customers’ identities and ensure
risk of fraud. that their data is secure.26 Worse still, they often have to scan physical
27. Data Protection Act 2018, http://www.leg-
islation.gov.uk/ukpga/2018/12/contents/ documents and transfer them, often insecurely, to parties relying on their
enacted
identity assertions in the blind trust that these organizations will not lose
20. Experian, Making the Invisible Visible, https:// or share their data without their permission. Although there are a number
www.experian.co.uk/assets/consumer-cred-
it-risk/making-the-invisible-visible.pdf
of different regulatory requirements on businesses and Governments to
21. NARCO, “Lack of valid ID identified as key bar- protect their citizens’ data (such as those set out in the Data Protection Act
rier t moving on from crime”, 21 November
2018, 2018), there is no guarantee that companies or governments themselves
https://www.nacro.org.uk/news/nacro- will handle personal data properly.27
news/lack-of-valid-id-identified-as-key-
barrier-to-moving-on-from-crime/
22. Tech UK, The case for digital IDs, February
2019
https://www.techuk.org/images/documents/
digital_id_FINAL_WEBSITE.pdf
23. World Economic Forum, What does a Good
Digital ID look like?, 7 May 2019,
https://www.weforum.org/agenda/2019/05/
what-does-a-good-digital-id-look-like/
20 | policyexchange.org.ukCore Concepts
GDPR and the Data Protection Act 2018
• The General Data Protection Regulation (EU) 2016/679 (GDPR)
is a regulation in EU law on data protection and privacy in the
European Union (EU) and the European Economic Area (EEA).28
• The UK implemented the General Data Protection Regulation
(GDPR) through The Data Protection Act 2018.29
• According to research, the introduction of GDPR led to a $3.38
million decrease in the aggregate dollars raised by EU ventures per
state per crude industry category per week, a 17.6% reduction in
the number of weekly venture deals, and a 39.6% decrease in the
amount raised in an average deal.30
A digital ID can be used to prove an individual’s identity and their
right to access information or services online. The difference between
digital IDs and physical IDs is that a digital ID can be authenticated both
remotely and digitally. Once created, digital IDs can be reused multiple
times to access multiple different services, preventing the need to resubmit
personal information. They can combine multiple types of high-fidelity
digital data, as well as the personal information contained in the identity
documents above.31
Verified and Unverified Digital IDs
• Verified digital identities are made up of verified (confirmed)
attributes – proof that someone is who they say they are – from
documents such as passports, driving licenses, birth certificates
and biometric scans. Once this identity is created it can be used
like a passport around the web to access a whole range of other
services.
• Unverified digital identities are created when people register on
websites with their name, date of birth and other personal details.
This is still a form of digital identity (although some would argue that
it was not), which will allow access to other services (for example,
you can sign up to some other websites using your Facebook/ 31. Mastercard, Restoring Trust in a Digital World,
Google account) but there are many duplicates and fake profiles set March 2019, https://www.mastercard.
us/content/dam/mccom/en-us/issuers/
up on some sites. This would not be possible with a verified digital digital-identity/digital-identity-restor-
identity, which is why you are unable to use unverified identities ing-trust-in-a-digital-world-final-share-cor-
rected.pdf
to access government services and banking services, for example.32 28. General Data Protection Regulation (GDPR),
https://gdpr-info.eu
Digital IDs have a number of different uses. These include: 29. Data Protection Act 2018, http://www.leg-
islation.gov.uk/ukpga/2018/12/contents/
• Overcoming the difficulties of proving your identity online enacted
• Providing a mechanism to delegate authority and act on behalf of 30. Truth on the Market, “GDPR After One Year:
Costs and Unintended Consequences”, 24 May
another individual (such as an elderly or vulnerable member of 2019,
family). https://truthonthemarket.com/2019/05/24/
gdpr-after-one-year-costs-and-
• Providing a mechanism to prove that you have the authority to act unintended-consequences/
on behalf of an organisation (if, for example, you are a company 32. YOTI, Digital Identity Toolkit Section 3: Digital
identity explained, 1 January 2010, https://
director). www.yoti.com/wp-content/uploads/2020/01/
Digital-Identity-Toolkit_Section-3_Digital-iden-
tity-explained.pdf
policyexchange.org.uk | 21Verified
• Preventing the need for organisations to store copies of our personal
data, thereby reducing the risk of fraud and also preventing the
loss of sensitive data if services are breached,
• Reducing costs of businesses who have to complete due diligence
on their customers,
• Making it easier to reclaim an identity after being the victim of
identity theft.
Digital IDs have the potential to be used to do more than make identity
assertions. Crucially, once a citizen has created a digital ID relating to
themselves, it is possible to link more information and data to that verified
identity. In the long-term, digital ID provides a mechanism of storing data
from multiple sources - from both the private sector and from the public
sector - and giving individuals the capacity to control how their digital
IDs are used.33
Many countries around the world have digital identity services
or schemes for their citizens.34 These schemes or services provide a
mechanism for customers to share their identity attributes with third
parties to access a product or service online.35 Although digital ID services
have high start-up costs, and are complex to create, once created they can
operate at low costs and have the capacity to protect user privacy.36 These
schemes are particularly effective when they are interoperable across both
the public and private sectors, as they can prevent different organisations
from pursuing siloed and incompatible solutions to digital ID problems.37
Digital ID Data
Digital IDs encompass a wide range of data about individuals. Knowing
that someone is who they say they are, to an appropriate level of certainty
for the task in hand, is complex and changes over both time and context.
33. House of Commons, Science and Technology
Committee, Digital Government, 3 July 2019, Digital Identity can be more than just “a digitized passport, driver’s license,
https://publications.parliament.uk/pa/ or national ID card, a password replacement or an online profile”.38
cm201719/cmselect/cmsctech/1455/1455.
pdf See “Self-Sovereign” Identity below.
Instead, digital identity is:
34. See Chapter 3 “grounded in a collage of data that defines the individual. This collage of data,
35. OIX, Cost of doing nothing, April 2018,
h t t p s : //o p e n i d e n t i t y e x c h a n g e . o r g / when bound to the individual, verified, and made securely accessible while under
blog/2018/04/19/cost-of-doing-nothing/
a user’s control, is the essence of digital identity. Its primary purpose is not
36. OIX, Cost of doing nothing, April 2018,
h t t p s : //o p e n i d e n t i t y e x c h a n g e . o r g / just to identify somebody, but more importantly to confirm their entitlement to
blog/2018/04/19/cost-of-doing-nothing/
access a service or perform a particular task.”39
37. OIX, Establishing a Trusted Interoperable
Digital Identity Ecosystem in the UK Oc-
tober 2019, https://openidentityexchange.
org/blog/2019/10/04/establishing-a-trust-
ed-interoperable-digital-identity-ecosys-
tem-in-the-uk/
38. Mastercard, Restoring Trust in a Digital
World, March 2019, https://www.master-
card.us/content/dam/mccom/en-us/issuers/
digital-identity/digital-identity-restor-
ing-trust-in-a-digital-world-final-share-cor-
rected.pdf
39. Mastercard, Restoring Trust in a Digital
World, March 2019, https://www.master-
card.us/content/dam/mccom/en-us/issuers/
digital-identity/digital-identity-restor-
ing-trust-in-a-digital-world-final-share-cor-
rected.pdf
22 | policyexchange.org.ukCore Concepts
Different types of data that can make up a digital identity
Digital IDs include a wide variety of different types of data.40 These
include:
• General Data: name, date of birth, address.
• Biometric Data: such as a fingerprint, facial or vocal records or
iris scans.
• Attribute Data: such as a passport number, a national insurance
number or an NHS number.
• Certification Data: such as a university degree, a driving license
or a workplace qualification.
• Dynamic Data: this is data generated from online interactions
with, for example, financial institutions, retail stores, mobile
networks or Governments.
These different attributes can come from a range of sources, including
but in no way limited to:
• Bank accounts
• Credit scores
• Personal devices
• Licenses
• Digital footprints
• Medical records
When completing identity checks online, it is essential to obtain
‘genuine presence’ assurance. It is essential to ensure that accurate
personal information isn’t being used by an impersonator to gain access to
services. Checks have to be completed to ensure that the person submitting
the information is real (and that they are not using photos or masks to
gain unauthorised access) and that they are present at the time of the
transaction (thereby ensuring that fraudsters are not using a video of a
previous authentication to gain access).41 This can make digital ID schemes
controversial on civil liberties grounds, due to the fact that “biometrics
(such as fingerprint or iris scans) are increasingly used as an identification
method, from national e-ID initiatives to identifying the correct use of a
mobile phone or tablet to allow access.”42
41. IProov.com The FCA coronavirus letter ex-
plained: how to remotely onboard custom-
ers without encouraging criminals, 1 April
2020. ihttps://www.iproov.com/news-
room/blog/the-fca-coronavirus-letter-ex-
plained-how-to-remotely-onboard-custom-
ers-without-encouraging-criminals
42. YOTI, Digital Identity Toolkit Section 3: Digital
identity explained, 1 January 2010, https://
www.yoti.com/wp-content/uploads/2020/01/
Digital-Identity-Toolkit_Section-3_Digital-iden-
tity-explained.pdf
40. Mastercard, Restoring Trust in a Digital
World, March 2019, https://www.mas-
tercard.us/content/dam/mccom/en-us/
issuers/digital-identity/digital-identi-
ty-restoring-trust-in-a-digital-world-fi-
nal-share-corrected.pdf
policyexchange.org.uk | 23Verified
Different Levels of Assurance
What makes a good Digital ID?
• Verified and authenticated according to a high degree of
assurance: The standards for initial registration and subsequent
acceptance of identity verification are set high.
• Unique: an individual or business has only one identity within
a system, and every system identity corresponds to only one
individual.
• Private: Digital IDs should give users access to their personal data,
control over which other parties have access to their data and
transparency as to who has accessed their data.
• Consent-based: individuals knowingly register for and use the
digital ID with knowledge of what personal data will be captured
and how they will be used.
• Reusable: individuals can use their digital IDs to ensure access to
multiple services, ideally across both the private and public sectors.
There are differing levels of assurance that you can have in a digital
identity. The Government Digital Service’s Good Practice Guide (GPG) for
Identity Proofing and Verification of an Individual identifies 5 different
elements that need to be checked to prevent fraud:43
• Strength: get evidence of the claimed identity
• Validity: check the evidence is genuine or valid
• Activity: check the claimed identity has existed over time
• Identity Fraud: check if the claimed identity is at high risk of
identity fraud
• Verification: check that the identity belongs to the person who’s
claiming it.
After all five of these checks have been undertaken, it is then possible
to assign users to an identity profile. There are four different identity
profiles to which you can be assigned, relating to different levels of
confidence. The higher the risk of an identity-related crime, the higher
the level of assurance is necessary.44
• low confidence (previously known as ‘identity level 1’)
• medium confidence (previously known as ‘identity level 2’)
• high confidence (previously known as ‘identity level 3’)
• very high confidence (previously known as ‘identity level 4’)
43. Cabinet Office and GDS, Identity proofing
and verification of an individual, 11 Septem-
ber 2015, https://www.gov.uk/government/
publications/identity-proofing-and-verifica-
tion-of-an-individual
44. Cabinet Office and GDS, Identity proofing
and verification of an individual, 11 Septem-
ber 2015, https://www.gov.uk/government/
publications/identity-proofing-and-verifica-
tion-of-an-individual
24 | policyexchange.org.ukYou can also read
